CN112953809B - System and method for generating multilayer VLAN flow - Google Patents
System and method for generating multilayer VLAN flow Download PDFInfo
- Publication number
- CN112953809B CN112953809B CN202110320270.0A CN202110320270A CN112953809B CN 112953809 B CN112953809 B CN 112953809B CN 202110320270 A CN202110320270 A CN 202110320270A CN 112953809 B CN112953809 B CN 112953809B
- Authority
- CN
- China
- Prior art keywords
- vlan
- switch
- packet
- flow data
- data packet
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/28—Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
- H04L12/46—Interconnection of networks
- H04L12/4641—Virtual LANs, VLANs, e.g. virtual private networks [VPN]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L49/00—Packet switching elements
- H04L49/60—Software-defined switches
- H04L49/602—Multilayer or multiprotocol switching, e.g. IP switching
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The present disclosure relates to a system, method, electronic device, and computer-readable medium for generating multilayer VLAN traffic. The system comprises: the first packet receiving and sending equipment is used for generating a VLAN flow data packet; the switch acquires the VLAN flow data packet by the first packet receiving and transmitting device and forwards the VLAN flow data inside the switch for multiple times through the snake-shaped networking of the switch so as to generate a multilayer VLAN flow data packet; and the second packet receiving and sending equipment is used for acquiring the multilayer VLAN flow data packet by the switch. The system, the method, the electronic device and the computer readable medium for generating the multilayer VLAN flow can realize the multilayer VLAN flow message only through the switch without modifying the flow message, are not limited by tool software when generating the multilayer VLAN flow message, and have short time and high efficiency.
Description
Technical Field
The present disclosure relates to the field of computer information processing, and in particular, to a system, a method, an electronic device, and a computer readable medium for generating multilayer VLAN traffic.
Background
With the popularization and wide application of networks, various tunnel or message encapsulation technologies appear in order to realize the division of private networks or networks, VLAN is one of the most common ways, and when a message is subjected to various processing of increasing and decreasing VLAN in the transmission process, a VLAN traffic message exceeding 2 layers is generated. In order to ensure that the intrusion prevention system can accurately intercept the attack and does not influence the forwarding of normal messages no matter the intrusion prevention system enters any extreme packaging condition, when the intrusion prevention system is tested, besides the conventional single-layer VLAN message test, the intrusion prevention test of multi-layer VLAN flow under extreme conditions can also be carried out.
Since the multi-layer VLAN traffic generation in the prior art is complex, a new multi-layer VLAN traffic generation system, method, electronic device, and computer readable medium are needed.
The above information disclosed in this background section is only for enhancement of understanding of the background of the disclosure and therefore it may contain information that does not form the prior art that is already known to a person of ordinary skill in the art.
Disclosure of Invention
In view of this, the present disclosure provides a system, a method, an electronic device, and a computer readable medium for generating multilayer VLAN traffic, which can implement a multilayer VLAN traffic only through a switch without modifying a traffic message, and are not limited by tool software when generating the multilayer VLAN traffic, and therefore, the time is short, and the efficiency is high.
Additional features and advantages of the disclosure will be set forth in the detailed description which follows, or in part will be obvious from the description, or may be learned by practice of the disclosure.
According to an aspect of the present disclosure, a system for generating multilayer VLAN traffic is provided, the system including: the first packet receiving and sending equipment is used for generating a VLAN flow data packet; the switch acquires the VLAN flow data packet by the first packet receiving and transmitting device and forwards the VLAN flow data inside the switch for multiple times through the snake-shaped networking of the switch so as to generate a multilayer VLAN flow data packet; and the second packet receiving and sending equipment is used for acquiring the multilayer VLAN flow data packet by the switch.
In an exemplary embodiment of the present disclosure, the first interface of the switch is connected to the packet sending interface of the first packet sending and receiving device; and the last interface of the switch is connected with the packet receiving interface of the second packet receiving and transmitting device.
In an exemplary embodiment of the disclosure, the switch includes a plurality of interfaces, and the plurality of interfaces between the second interface and the last second interface of the switch are connected two by two in sequence.
In an exemplary embodiment of the present disclosure, the plurality of interfaces of the switch are configured in trunk mode.
In an exemplary embodiment of the present disclosure, a trunk allowed VLAN of an odd number of interfaces of the switch is the same as a trunk allowed VLAN of a previous interface thereof;
and the trunk allowed VLAN of the even interface of the switch is the same as the trunk allowed VLANs of the first two interfaces.
In an exemplary embodiment of the disclosure, the plurality of interfaces of the switch are configured as QINQ policies.
In an exemplary embodiment of the present disclosure, further comprising: the intrusion prevention system is connected between the switch and the second packet receiving and sending equipment in series and is used for carrying out intrusion detection on the multilayer VLAN flow data packet and generating a detection result; and the management equipment is used for acquiring and analyzing the detection result.
According to an aspect of the present disclosure, a method for generating multilayer VLAN traffic is provided, where the method includes: the first packet receiving and sending equipment generates a VLAN flow data packet; the switch acquires the VLAN flow data packet by the first packet receiving and transmitting device; the exchanger forwards the VLAN flow data in the exchanger for multiple times through the snake-shaped networking of the exchanger so as to generate a multilayer VLAN flow data packet; and the second packet receiving and sending equipment acquires the multilayer VLAN flow data packet by the switch.
In an exemplary embodiment of the disclosure, the first packet transceiving device generates a VLAN traffic packet, comprising: the first packet receiving and sending equipment generates an attack VLAN flow data packet; and/or the first packet receiving and sending device generates VLAN flow data packets of the background flow class; and/or the first packet receiving and transmitting equipment generates VLAN flow data packets of abnormal message types; and/or the first packet receiving and transmitting device generates a mixed message type VLAN flow data packet.
In an exemplary embodiment of the present disclosure, further comprising: and the intrusion prevention system acquires the multilayer VLAN flow data packet between the switch and the second packet receiving and transmitting equipment to carry out intrusion detection and generate a detection result.
In an exemplary embodiment of the disclosure, the intrusion prevention system obtains the multilayer VLAN traffic data packet for intrusion detection between the switch and a second packet transceiving device, including: the intrusion prevention system acquires the multilayer VLAN flow data packet between the switch and the second packet receiving and transmitting device; when the multilayer VLAN flow data packet is an attack type, an abnormal message type or a mixed message type, carrying out intrusion detection on the flow data packet; and when the multilayer VLAN flow data packet is a background flow type multilayer VLAN flow data packet, forwarding the multilayer VLAN flow data packet.
According to an aspect of the present disclosure, an electronic device is provided, the electronic device including: one or more processors; storage means for storing one or more programs; when executed by one or more processors, cause the one or more processors to implement a method as above.
According to an aspect of the disclosure, a computer-readable medium is proposed, on which a computer program is stored which, when being executed by a processor, carries out the method as above.
According to the system, the method, the electronic device and the computer readable medium for generating the multilayer VLAN flow, the first packet receiving and sending device is used for generating a VLAN flow data packet; the switch acquires the VLAN flow data packet by the first packet receiving and transmitting device and forwards the VLAN flow data inside the switch for multiple times through the snake-shaped networking of the switch so as to generate a multilayer VLAN flow data packet; and the second packet receiving and transmitting equipment is used for acquiring the multilayer VLAN flow data packet mode by the switch, the multilayer VLAN flow message can be realized only through the switch without modifying the flow message, and the multilayer VLAN flow message is not limited by tool software when being generated, so that the time is short, and the efficiency is high.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the disclosure.
Drawings
The above and other objects, features and advantages of the present disclosure will become more apparent by describing in detail exemplary embodiments thereof with reference to the attached drawings. The drawings described below are merely some embodiments of the present disclosure, and other drawings may be derived from those drawings by those of ordinary skill in the art without inventive effort.
Fig. 1 is a system block diagram illustrating a system for generating multi-layer VLAN traffic in accordance with an exemplary embodiment.
Fig. 2 is a schematic block diagram of a system for generating multi-layer VLAN traffic in accordance with an exemplary embodiment.
Fig. 3 is a block diagram illustrating an intrusion prevention detection system in a system for generating multi-layer VLAN traffic in accordance with an exemplary embodiment.
Fig. 4 is a flow chart illustrating a method of generating multi-layer VLAN traffic according to another exemplary embodiment.
Fig. 5 is a flow chart illustrating a method of generating multi-layer VLAN traffic in accordance with another exemplary embodiment.
FIG. 6 is a block diagram illustrating an electronic device in accordance with an example embodiment.
FIG. 7 is a block diagram illustrating a computer-readable medium in accordance with an example embodiment.
Detailed Description
Example embodiments will now be described more fully with reference to the accompanying drawings. Example embodiments may, however, be embodied in many different forms and should not be construed as limited to the embodiments set forth herein; rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the concept of example embodiments to those skilled in the art. The same reference numerals denote the same or similar parts in the drawings, and thus, a repetitive description thereof will be omitted.
Furthermore, the described features, structures, or characteristics may be combined in any suitable manner in one or more embodiments. In the following description, numerous specific details are provided to give a thorough understanding of embodiments of the disclosure. One skilled in the relevant art will recognize, however, that the subject matter of the present disclosure can be practiced without one or more of the specific details, or with other methods, components, devices, steps, and so forth. In other instances, well-known methods, implementations, or operations are not shown or described in detail to avoid obscuring aspects of the disclosure.
The block diagrams shown in the figures are functional entities only and do not necessarily correspond to physically separate entities. I.e. these functional entities may be implemented in the form of software, or in one or more hardware modules or integrated circuits, or in different networks and/or processor means and/or microcontroller means.
The flowcharts shown in the figures are illustrative only and do not necessarily include all of the contents and operations/steps, nor do they necessarily have to be performed in the order described. For example, some operations/steps may be decomposed, and some operations/steps may be combined or partially combined, so that the actual execution sequence may be changed according to the actual situation.
It will be understood that, although the terms first, second, third, etc. may be used herein to describe various components, these components should not be limited by these terms. These terms are used to distinguish one element from another. Thus, a first component discussed below may be termed a second component without departing from the teachings of the disclosed concept. As used herein, the term "and/or" includes any and all combinations of one or more of the associated listed items.
It is to be understood by those skilled in the art that the drawings are merely schematic representations of exemplary embodiments, and that the blocks or processes shown in the drawings are not necessarily required to practice the present disclosure and are, therefore, not intended to limit the scope of the present disclosure.
The technical abbreviations referred to in this application are explained as follows:
VLAN (virtual Local Area network) is named as Virtual Local Area Network (VLAN) and works on layer 2 and layer 3 of OSI reference model, and a VLAN is a broadcast domain. The same physical local area network can be divided into a plurality of different broadcast domains through different VLANs, and the different VLANs can only be communicated through three layers of routes, so that the network security is improved.
QinQ technology (also called Stacked VLAN or Double VLAN) can effectively extend the number of VLANs.
Intrusion Prevention Systems (IPS) are computer network security facilities, and are a complement to anti-virus software (anti Programs) and firewalls (Packet filters, Application gateways).
In order to test whether the VLAN affects the detection of the intrusion prevention device, a multi-layer VLAN traffic message needs to be constructed, but a message used in a general test is often a message without the VLAN, so that the VLAN can be added by modifying the message using software to perform the test.
And using message constructing tool software to create a message with the VLAN or modify the existing attack message, sending the message to the corresponding intrusion prevention equipment, testing whether the intrusion prevention equipment can process the message with the VLAN, and accurately detecting the attack type.
The above method can increase the number of VLAN layers by creating or modifying the existing attack message by itself, realize the structure with multilayer VLAN message, and carry out the intrusion defense detection of multilayer VLAN, but the method is only limited to the attack with less message number.
The message construction and modification are complex, limited by tool software, long time consuming and low efficiency, a plurality of messages cannot be simultaneously modified in batch, the type of the sent flow changes, and new messages need to be modified again. The disclosed system for generating multilayer VLAN flow utilizes common attack messages without VLAN and background flow, and adds multilayer VLAN structure for messages without VLAN by using QINQ function of a switch interface in a mode of repeatedly passing through the switch so as to generate multilayer VLAN flow, and the multilayer VLAN flow can be sent to intrusion detection equipment for testing.
The present disclosure is described in detail below with reference to specific examples.
Fig. 1 is a system block diagram illustrating a system for generating multi-layer VLAN traffic in accordance with an exemplary embodiment.
The first packet transceiving device 102 is configured to generate a VLAN traffic packet;
the switch 104 obtains the VLAN traffic data packet by the first packet receiving and sending device, and forwards the VLAN traffic data inside the switch multiple times through its own snake-shaped networking to generate a multilayer VLAN traffic data packet;
the second packet-transceiving device 106 is configured to obtain the multi-layer VLAN traffic packet by the switch.
Wherein, the first interface of the switch 104 is connected to the packet sending interface of the first packet sending and receiving device 102; the last interface of the switch 104 is connected to the packet receiving interface of the second packet transceiver 106.
The switch 104 includes a plurality of interfaces, and the plurality of interfaces from the second interface to the last second interface of the switch 104 are connected in pairs. The plurality of interfaces of the switch 104 are configured in trunk mode. The trunk allowed VLAN of the odd interface of the switch 104 is the same as the trunk allowed VLAN of the previous interface; the trunk allowed VLAN of the even-numbered interface of the switch 104 is the same as the trunk allowed VLANs of the first two interfaces. The plurality of interfaces of the switch 104 are configured as QINQ policies.
Fig. 2 is a schematic block diagram of a system for generating multi-layer VLAN traffic in accordance with an exemplary embodiment. As shown in fig. 2, the solid line in the figure shows the traffic going outside the device, the dashed line shows the traffic going inside the device, and the dashed line in the circle shows the irrelevant traffic due to the broadcast (which would be discarded without affecting the test).
More specifically, the deployment method for constructing the multilayer VLAN traffic is as follows:
1. sending a packet by using a PC1 (or other packet receiving and sending devices, in this embodiment, only a PC device is taken as an example), wherein a packet sending interface is connected with a switch gige0_0 port, and a switch gige0_0 port is used as a message input interface;
2. another PC2 is used to connect to the last interface gige0_ n port of the switch (where n is an odd number and the switch has n +1 ports);
3. connecting a gige0_1 port of the exchanger with a gige0_2 port, connecting a gige0_3 port with a gige0_4 port, connecting an … … gige0_ n-2 port with a gige0_ n-1 port to form a snake-shaped networking;
4. configuring all interfaces of the switch into trunk mode;
5. trunk native VLANs of the n +1 interfaces gige0_0 to gige0_ n are respectively VLAN1 to VLAN n + 1;
6. configuring trunk allowed VLANs from gige0_1 to gige0_ n, wherein the trunk allowed VLANs of the 0_1 port and the 0_2 port are 1, the trunk allowed VLANs of the 0_3 port and the 0_4 port are 3, and so on, namely if the interface id is an odd number, the trunk allowed VLAN is the same as the trunk native VLAN of the interface before the interface, and if the interface id is an even number, the trunk allowed VLAN is the same as the trunk native VLANs of the two interfaces before the interface;
7. and (3) configuring a QINQ strategy (the gige0_0 port can not be configured) for each interface by using the QINQ function of the switch, and adding a new layer of VLAN at the outermost layer of the message in the incoming direction on the basis of the original VLAN by using the basic QINQ function, wherein the VLAN ID is the native VLAN of the current interface.
Fig. 3 is a block diagram of an intrusion prevention detection system in a system for generating multi-layer VLAN traffic in accordance with an exemplary embodiment. As shown in fig. 3, the intrusion prevention system is serially connected between the switch and the second packet receiving and sending device, and is configured to perform intrusion detection on the multilayer VLAN traffic data packet, and generate a detection result; and the management equipment acquires and analyzes the detection result.
More specifically, the test procedure is as follows:
1. and the intrusion detection equipment is connected in series between the switch and the PC2 equipment, and the intrusion prevention strategy is configured.
2. The PC1 plays back the message, which can select attack message, background stream, abnormal message or mixed message as required.
3. The attack message is processed and detected after being encapsulated by (n + 1)/2-layer VLAN through the switch.
4. The multilayer VLAN encapsulation attack can be normally detected by the intrusion detection equipment, and the multilayer VLAN background flow is normally forwarded.
Fig. 4 is a flow diagram illustrating a system and method for generating multi-layer VLAN traffic in accordance with an exemplary embodiment. The system and method 40 for generating multilayer VLAN traffic includes at least steps S402 to S408.
As shown in fig. 4, in S402, the first packet transceiver device generates a VLAN traffic packet. The first packet-transceiving device may, for example, generate VLAN traffic packets of the attack class; the first packet receiving and sending equipment generates a VLAN flow data packet of a background flow class; the first packet receiving and sending equipment generates VLAN flow data packets of abnormal message types; the first packet receiving and transmitting device generates a mixed message type VLAN flow data packet.
In S404, the switch acquires the VLAN traffic data packet by the first packet transceiver device.
In S406, the switch forwards the VLAN traffic data inside it multiple times through its own snake-shaped networking to generate a multilayer VLAN traffic data packet.
More specifically, a VLAN-less message enters the switch from gige0_0 through an ingress switch, and a layer of VLAN1 is added according to an interface VLAN rule, and since both gige0_1 and gige0_2 ports belong to VLAN1, traffic can be broadcasted from gige0_1 and gige0_2 ports;
according to interface wiring, messages output from gige0_2 enter from a gige0_1 port, VLAN2 is added on the outermost layer of the messages entering from the gige0_1 port configured by basic QINQ of the interface, the flow is changed into double-layer VLAN messages, an inner layer VLAN1 and an outer layer VLAN2, and no other interface except gige0_1 belongs to VLAN2, so the flow is discarded because no interface exists;
another message from gige0_1 is imported from gige0_2, because of QINQ configuration, VLAN3 is added to the outermost layer of the message, and the flow is changed into a double-layer VLAN message, i.e., an inner layer VLAN1 and an outer layer VLAN 3. Similarly, the traffic of the outer VLAN3 can be output from gige0_3 and gige0_4, the packets output from gige0_4 are input from gige0_3 and added with a layer of VLAN4, no output interface is discarded, and the packets output from gige0_3 are input from gige0_4 to the outermost layer and added with a layer of VLAN5 for further forwarding.
And finally, from the outlet of gige0_ n, the VLAN1, the VLAN3, the VLAN5 … …, the VLAN n-2 and the VLAN n are sequentially arranged from the innermost layer to the outermost layer of the packet receiving VLAN of the PC 2. The messages passing through the networking are encapsulated into (n +1)/2 layer VLAN.
In S408, the second packet transceiver device obtains the multilayer VLAN traffic packet from the switch.
According to the method for generating the multilayer VLAN flow, a first packet receiving and transmitting device generates an attack VLAN flow data packet; and/or the first packet receiving and sending device generates VLAN flow data packets of the background flow class; and/or the first packet receiving and transmitting equipment generates VLAN flow data packets of abnormal message types; and/or the first packet receiving and transmitting equipment generates the mixed message type VLAN flow data packet, the multilayer VLAN flow message can be realized only through the switch without modifying the flow message, and the multilayer VLAN flow message is not limited by tool software when being generated, so that the time is short, and the efficiency is high.
It should be clearly understood that this disclosure describes how to make and use particular examples, but the principles of this disclosure are not limited to any details of these examples. Rather, these principles can be applied to many other embodiments based on the teachings of the present disclosure.
Fig. 5 is a flow diagram illustrating a system and method for generating multi-layer VLAN traffic according to another exemplary embodiment. The flow 50 shown in fig. 5 is a supplementary description of the flow shown in fig. 4.
As shown in fig. 5, in S502, the intrusion prevention system obtains the multi-layer VLAN traffic data packet from between the switch and the second packet transceiver device.
In S504, the type of the multilayer VLAN traffic packet is determined.
In S506, when the multilayer VLAN traffic data packet is an attack type, an abnormal packet type, or a mixed packet type, intrusion detection is performed on the traffic data packet.
In S508, when the multilayer VLAN traffic packet is a background flow type multilayer VLAN traffic packet, the multilayer VLAN traffic packet is forwarded.
According to the method for generating the multilayer VLAN flow, messages do not need to be modified, and the multilayer VLAN is directly added only in a mode of using a switch; when the traffic model changes, the networking does not need to be modified again.
Those skilled in the art will appreciate that all or part of the steps implementing the above embodiments are implemented as computer programs executed by a CPU. When executed by the CPU, performs the functions defined by the above-described methods provided by the present disclosure. The program may be stored in a computer readable storage medium, which may be a read-only memory, a magnetic or optical disk, or the like.
Furthermore, it should be noted that the above-mentioned figures are only schematic illustrations of the processes involved in the methods according to exemplary embodiments of the present disclosure, and are not intended to be limiting. It will be readily understood that the processes shown in the above figures are not intended to indicate or limit the chronological order of the processes. In addition, it is also readily understood that these processes may be performed, for example, synchronously or asynchronously in multiple modules.
FIG. 6 is a block diagram illustrating an electronic device in accordance with an example embodiment.
An electronic device 600 according to this embodiment of the disclosure is described below with reference to fig. 6. The electronic device 600 shown in fig. 6 is only an example and should not bring any limitation to the functions and the scope of use of the embodiments of the present disclosure.
As shown in fig. 6, the electronic device 600 is embodied in the form of a general purpose computing device. The components of the electronic device 600 may include, but are not limited to: at least one processing unit 610, at least one memory unit 620, a bus 630 that couples various system components including the memory unit 620 and the processing unit 610, a display unit 640, and the like.
Wherein the storage unit stores program code that is executable by the processing unit 610 such that the processing unit 610 performs the steps described in this specification in accordance with various exemplary embodiments of the present disclosure. For example, the processing unit 610 may perform the steps shown in fig. 4 and 5.
The storage unit 620 may include readable media in the form of volatile memory units, such as a random access memory unit (RAM)6201 and/or a cache memory unit 6202, and may further include a read-only memory unit (ROM) 6203.
The memory unit 620 may also include a program/utility 6204 having a set (at least one) of program modules 6205, such program modules 6205 including, but not limited to: an operating system, one or more application programs, other program modules, and program data, each of which or some combination thereof may comprise an implementation of a network environment.
The electronic device 600 can also communicate with one or more external devices 600' (e.g., keyboard, pointing device, bluetooth device, etc.) such that a user can communicate with the devices with which the electronic device 600 interacts, and/or any device (e.g., router, modem, etc.) with which the electronic device 600 can communicate with one or more other computing devices. Such communication may occur via input/output (I/O) interface 650. Also, the electronic device 600 may communicate with one or more networks (e.g., a Local Area Network (LAN), a Wide Area Network (WAN), and/or a public network such as the Internet) via the network adapter 660. The network adapter 660 may communicate with the other modules of the electronic device 600 via the bus 630. It should be understood that although not shown in the figures, other hardware and/or software modules may be used in conjunction with the electronic device 600, including but not limited to: microcode, device drivers, redundant processing units, external disk drive arrays, RAID systems, tape drives, and data backup storage systems, among others.
Through the above description of the embodiments, those skilled in the art will readily understand that the exemplary embodiments described herein may be implemented by software, or by software in combination with necessary hardware. Therefore, as shown in fig. 7, the technical solution according to the embodiment of the present disclosure may be embodied in the form of a software product, which may be stored in a non-volatile storage medium (which may be a CD-ROM, a usb disk, a removable hard disk, etc.) or on a network, and includes several instructions to enable a computing device (which may be a personal computer, a server, or a network device, etc.) to execute the above method according to the embodiment of the present disclosure.
The software product may employ any combination of one or more readable media. The readable medium may be a readable signal medium or a readable storage medium. The readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples (a non-exhaustive list) of the readable storage medium include: an electrical connection having one or more wires, a portable disk, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
The computer readable storage medium may include a propagated data signal with readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take many forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A readable storage medium may also be any readable medium that is not a readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a readable storage medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc., or any suitable combination of the foregoing.
Program code for carrying out operations of the present disclosure may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, C + + or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computing device, partly on the user's device, as a stand-alone software package, partly on the user's computing device and partly on a remote computing device, or entirely on the remote computing device or server. In situations involving remote computing devices, the remote computing devices may be connected to the user computing device through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to external computing devices (e.g., through the internet using an internet service provider).
The computer readable medium carries one or more programs which, when executed by a device, cause the computer readable medium to perform the functions of: controlling a first packet receiving and transmitting device to generate a VLAN flow data packet; the control switch acquires the VLAN flow data packet by the first packet receiving and transmitting device; controlling the switch to forward the VLAN flow data in the switch for multiple times through the snake-shaped networking of the switch so as to generate a multilayer VLAN flow data packet; and controlling the second packet receiving and sending equipment to obtain the multilayer VLAN flow data packet by the switch.
Those skilled in the art will appreciate that the modules described above may be distributed in the apparatus as described in the embodiments, and that corresponding changes may be made in one or more apparatus that are unique from the embodiments. The modules of the above embodiments may be combined into one module, or further split into multiple sub-modules.
Through the above description of the embodiments, those skilled in the art will readily understand that the exemplary embodiments described herein may be implemented by software, or by software in combination with necessary hardware. Therefore, the technical solution according to the embodiments of the present disclosure may be embodied in the form of a software product, which may be stored in a non-volatile storage medium (which may be a CD-ROM, a usb disk, a removable hard disk, etc.) or on a network, and includes several instructions to enable a computing device (which may be a personal computer, a server, a mobile terminal, or a network device, etc.) to execute the method according to the embodiments of the present disclosure.
Exemplary embodiments of the present disclosure are specifically illustrated and described above. It is to be understood that the present disclosure is not limited to the precise arrangements, instrumentalities, or instrumentalities described herein; on the contrary, the disclosure is intended to cover various modifications and equivalent arrangements included within the spirit and scope of the appended claims.
Claims (9)
1. A system for generating multi-layer VLAN traffic, comprising:
the first packet receiving and sending equipment is used for generating a VLAN flow data packet;
the switch acquires the VLAN flow data packet by the first packet receiving and transmitting device and forwards the VLAN flow data inside the switch for multiple times through the snake-shaped networking of the switch so as to generate a multilayer VLAN flow data packet;
a second packet transceiving device for acquiring the multi-layer VLAN traffic packets by the switch,
the plurality of interfaces of the switch are configured in a trunk mode, trunk allowed VLANs of odd interfaces are the same as those of previous interfaces, and trunk allowed VLANs of even interfaces are the same as those of previous interfaces.
2. The generation system of claim 1,
a first interface of the switch is connected with a packet sending interface of the first packet sending and receiving device;
and the last interface of the switch is connected with the packet receiving interface of the second packet receiving and transmitting device.
3. The generation system of claim 1,
the switch comprises a plurality of interfaces, and the plurality of interfaces from the second interface to the last second interface of the switch are connected in pairs in sequence.
4. The generation system of claim 1,
the plurality of interfaces of the switch are configured as QINQ policies.
5. The generation system of claim 1, further comprising:
the intrusion prevention system is connected between the switch and the second packet receiving and sending equipment in series and is used for carrying out intrusion detection on the multilayer VLAN flow data packet and generating a detection result;
and the management equipment is used for acquiring and analyzing the detection result.
6. A method for generating multilayer VLAN traffic is characterized by comprising the following steps:
the first packet receiving and sending device generates a VLAN flow data packet;
the switch acquires the VLAN flow data packet by the first packet receiving and transmitting device;
the exchanger forwards the VLAN flow data in the exchanger for multiple times through the snake-shaped networking of the exchanger so as to generate a multilayer VLAN flow data packet;
the second packet receiving and sending device obtains the multilayer VLAN flow data packet by the switch;
the multiple interfaces of the switch are configured to be in a trunk mode, trunk allowed VLANs of odd interfaces are the same as trunk allowed VLANs of previous interfaces, and trunk allowed VLANs of even interfaces are the same as trunk allowed VLANs of previous two interfaces.
7. The method of generating as set forth in claim 6, wherein the first packet transceiving device generates VLAN traffic packets, comprising:
the first packet receiving and transmitting equipment generates an attack VLAN flow data packet; and/or
The first packet receiving and sending equipment generates a VLAN flow data packet of a background flow class; and/or
The first packet receiving and sending equipment generates VLAN flow data packets of abnormal message types; and/or
The first packet receiving and transmitting device generates a mixed message type VLAN flow data packet.
8. The generation method of claim 7, further comprising:
and the intrusion prevention system acquires the multilayer VLAN flow data packet between the switch and the second packet receiving and transmitting equipment to carry out intrusion detection and generate a detection result.
9. The method of claim 8, wherein the intrusion prevention system obtaining the multi-layer VLAN traffic packets for intrusion detection between the switch and a second packet forwarding and receiving device comprises:
the intrusion prevention system obtains the multilayer VLAN flow data packet between the switch and the second packet receiving and sending device;
when the multilayer VLAN flow data packet is an attack type, an abnormal message type or a mixed message type, carrying out intrusion detection on the flow data packet;
and when the multilayer VLAN flow data packet is a background flow type multilayer VLAN flow data packet, forwarding the multilayer VLAN flow data packet.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110320270.0A CN112953809B (en) | 2021-03-25 | 2021-03-25 | System and method for generating multilayer VLAN flow |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110320270.0A CN112953809B (en) | 2021-03-25 | 2021-03-25 | System and method for generating multilayer VLAN flow |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112953809A CN112953809A (en) | 2021-06-11 |
| CN112953809B true CN112953809B (en) | 2022-07-26 |
Family
ID=76228514
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110320270.0A Active CN112953809B (en) | 2021-03-25 | 2021-03-25 | System and method for generating multilayer VLAN flow |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112953809B (en) |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2007065358A1 (en) * | 2005-12-06 | 2007-06-14 | Huawei Technologies Co., Ltd. | Method and system for service processing based on vlan stack |
| CN101588305A (en) * | 2009-06-30 | 2009-11-25 | 杭州华三通信技术有限公司 | message handling method carried with multilayer labels and an exchanger |
| CN103078770A (en) * | 2013-01-22 | 2013-05-01 | 浪潮电子信息产业股份有限公司 | Method for testing stability of switch |
| CN104168184A (en) * | 2013-05-17 | 2014-11-26 | 杭州华三通信技术有限公司 | Message forwarding method and device |
| CN108512721A (en) * | 2018-03-05 | 2018-09-07 | 山东超越数控电子股份有限公司 | A kind of three layers of stability test method of multi-exchange |
Family Cites Families (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN100505746C (en) * | 2004-02-07 | 2009-06-24 | 华为技术有限公司 | Method for implement virtual leased line |
| TW200612695A (en) * | 2004-10-08 | 2006-04-16 | Broad Web Corp | Content checking method applied to network packet of a network security switch |
| CN109922090A (en) * | 2019-04-29 | 2019-06-21 | 杭州迪普科技股份有限公司 | Flow forwarding method, device, electronic equipment and machine readable storage medium |
| CN111526121B (en) * | 2020-03-24 | 2022-03-04 | 杭州迪普科技股份有限公司 | Intrusion prevention method and device, electronic equipment and computer readable medium |
-
2021
- 2021-03-25 CN CN202110320270.0A patent/CN112953809B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2007065358A1 (en) * | 2005-12-06 | 2007-06-14 | Huawei Technologies Co., Ltd. | Method and system for service processing based on vlan stack |
| CN101588305A (en) * | 2009-06-30 | 2009-11-25 | 杭州华三通信技术有限公司 | message handling method carried with multilayer labels and an exchanger |
| CN103078770A (en) * | 2013-01-22 | 2013-05-01 | 浪潮电子信息产业股份有限公司 | Method for testing stability of switch |
| CN104168184A (en) * | 2013-05-17 | 2014-11-26 | 杭州华三通信技术有限公司 | Message forwarding method and device |
| CN108512721A (en) * | 2018-03-05 | 2018-09-07 | 山东超越数控电子股份有限公司 | A kind of three layers of stability test method of multi-exchange |
Non-Patent Citations (2)
| Title |
|---|
| 场景驱动的工业以太网交换机软件测评框架;李吟等;《计算机工程与设计》;20161116(第11期);全篇 * |
| 路由器性能测试中蛇形测试的局限性探讨;郭亮等;《电信科学》;20131120(第11期);全篇 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112953809A (en) | 2021-06-11 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US20210243276A1 (en) | Systems and methods for protecting an identity in network communications | |
| Sahay et al. | CyberShip-IoT: A dynamic and adaptive SDN-based security policy enforcement framework for ships | |
| WO2015120783A9 (en) | System and method for securing source routing using public key based digital signature | |
| US10205609B2 (en) | Overlay switch | |
| Marchetto et al. | Formally verified latency-aware vnf placement in industrial internet of things | |
| US20210234812A1 (en) | Traffic broker for routing data packets through sequences of in-line tools | |
| Gavriluţ et al. | Constructive or optimized: An overview of strategies to design networks for time-critical applications | |
| CN101753376B (en) | Method and equipment for detecting link state | |
| US9426122B2 (en) | Architecture for network management in a multi-service network | |
| CN112953809B (en) | System and method for generating multilayer VLAN flow | |
| CN111490986B (en) | Test system and method for intrusion prevention equipment | |
| Damiani et al. | Stay thrifty, stay secure: a VPN-based assurance framework for hybrid systems | |
| CN112436983B (en) | Analog wide area network data transmission method and device, electronic equipment and storage medium | |
| Stammler et al. | Mitigating Masking in Automotive Communication Systems: Modeling and Hardware Generation | |
| Jia et al. | Improved reliability of large scale publish/subscribe based moms using model checking | |
| Lan et al. | Future network architectures and core technologies | |
| Singh | Implementing Cisco Networking Solutions: Configure, implement, and manage complex network designs | |
| US9043448B1 (en) | Systems and methods for configuring a network component that involves TCAM | |
| Rubinstein et al. | Availability analysis of power substation automation architectures with PRP and HSR protocols | |
| Zakinthinos et al. | Composing secure systems that have emergent properties | |
| Reusch et al. | Technical report: Safe and secure configuration synthesis for tsn-based distributed cyber-physical systems using constraint programming | |
| CN115348070B (en) | Data packet processing method and device, electronic equipment and storage medium | |
| CN114448667B (en) | Data transmission method, device and equipment | |
| US10735292B1 (en) | Monitoring interconnections between network devices of different network entities | |
| CN115865802B (en) | Flow mirroring method and device of virtual instance, virtual machine platform and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |